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Abstract 

We propose an automated deduction method which allows us to produce proofs close to the 
human intuition and practice. This method is based on tableaux, which generate more natural 
proofs than similar methods relying on clausal forms, and uses the principles of superdeduction, 
among which the theory is used to enrich the deduction system with new deduction rules. We 
present two implementations of this method, which consist of extensions of the Zenon automated 
theorem proven The first implementation is a version dedicated to the set theory of the B formal 
method, while the second implementation is a generic version able to deal with any first order 
theory. We also provide several examples of problems, which can be handled by these tools and 
which come from different theories, such as the B set theory or theories of the TPTP library. 


1 Introduction 

These days, theorem proving appears as an appropriate support for education in subjects such as 
mathematics and more generally logic, where proofs play a significant role. This can be explained by 
the fact that some of the existing theorem prover based systems have a long history of development, 
and constantly provide technical innovations not only in terms of design, but also in terms of theory. 
Among these theorem prover based systems, interactive theorem provers, such as Coq [|20l for exam¬ 
ple, appear to be quite appropriate tools, since they offer special environments dedicated to proving. 
In particular, these special environments offer syntax and type checking, as well as a bounded set of 
tactics, i.e. commands building proofs when applied to proof goals. These environments also provide 
some assistance in the way of building proofs, since tactics are able to automatically and incremen¬ 
tally produce proofs when applied to goals. This assistance does not only concern the application of 
tactics, but may also be related to other aspects regarding modeling, such as the automated generation 
of induction schemes from inductive types for instance. However, these mechanized frameworks do 
not offer any guidance in the way of finding the right proof of a theorem, and if the user does not have 
the intuition of this proof (which may be acquired by thinking of the proof on paper), it is likely that 
he/she would experience some difficulties in building the corresponding proof, even with an interac¬ 
tive proof loop (even worse, he/she would probably get lost by unnecessarily applying some tactics 
in an endless way, like induction tactics for example). To deal with this problem of finding proofs. 
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we may consider the use of automated theorem provers as long as they at least provide proof traces 
which are comprehensible enough to recover the intuition of the corresponding proofs. 

Automated theorem proving is a quite wide and still very active domain of research. In automated 
theorem proving, we generally distinguish the semantic methods from the syntactic methods. The se¬ 
mantic methods, such as the Davis-Putnam algorithm 0 or the Binary Decision Diagrams [|5]| (BDDs) 
for instance, have the advantage to be quite intuitive, but are limited to propositional calculus. To deal 
with first order logic, we preferably rely on syntactic methods, which may be split into two large 
families of methods. The first family of methods is the saturation-based theorem proving, which was 
actually introduced by Robinson with the resolution calculus [|T^ . Resolution is a complete method 
working by refutation: a contradiction (i.e. the empty clause) has to be deduced from an unsatisfiable 
set of clauses. The search for a contradiction proceeds by saturating the given set of clauses, that is, 
systematically (and exhaustively) applying all applicable inference rules. The principle of resolution 
is general enough to allow many calculi to be seen as resolution-based calculi (binary resolution, 
positive resolution, semantic resolution, hyper-resolution, the inverse method, etc). However, a proof 
produced by resolution is not appropriate to get the intuition of the proof, since resolution actually 
works on a formula in clausal form (a preliminary step therefore consists in clausifying the initial 
formula), and there is little chance to understand the proof of the initial formula from the resolution 
proof (unless the initial formula is already in clausal form). The second family of syntactic methods 
tend to palliate this difficulty and are called tableau-based methods. Tableaux are actually much older 
than resolution-based methods and were introduced by pioneers Hintikka ifT^ and Beth [O from the 
cut-free version of Gentzen’s sequent calculus [fTTlI . The tableau method still works by refutation but 
over the initial formula contrary to resolution, and by case distinction. More precisely, it allows us 
to systematically generate subcases until elementary contradictions are reached, building a kind of 
tree from which it is possible to almost directly produce a proof. Compared to resolution, tableaux 
therefore offer the possibility to build comprehensible proofs which are directly related to the corre¬ 
sponding initial formulas. 

If tableaux allow us to produce more comprehensible proofs, some recent deduction techniques 
have been developed and tend to improve the presentation of proofs in the usual deductive systems, 
in particular when reasoning modulo a theory. Among these new deduction techniques, there are, 
for example, deduction modulo [fTOl and superdeduction dH, which respectively focus on the com¬ 
putational and deductive parts of a theory, and which can be considered as steps toward high-level 
deductive languages. If deduction modulo and superdeduction are equivalent when reasoning mod¬ 
ulo a theory, superdeduction appears to be more appropriate to produce proofs close to the human 
intuition as it allows us to naturally encode custom deduction schemes. In addition, the principle 
of superdeduction relies on the generation of specific deduction rules (called superdeduction rules) 
from the axioms of the theory, and in practice, it is quite easier to extend existing tools with ad hoc 
deduction rules than with a congruence over the formulas (coming from the computational rules of 
deduction modulo). 

In this paper, we propose an automated deduction method based both on tableaux and superde¬ 
duction. As said previously, the main motivation is to build a system able to provide a significant 
help in matter of education by automatically producing proofs comprehensible enough to recover the 
intuition of these proofs. To show that such a system is actually effective in practice, we also propose 
to implement this system by realizing an extension of an existing automated theorem prover called 
Zenon [|3||, and which relies on classical first order logic with equality and applies the tableau method 
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as proof search. In this context, the choice of Zenon is strongly influenced by its ability of producing 
comprehensible proof traces (with several levels of details). In addition, Zenon offers an extension 
mechanism, which allows us to extend its core of deductive rules to match specific requirements, and 
which is therefore quite appropriate to integrate superdeduction. Two extensions of Zenon with su¬ 
perdeduction have been implemented and will be considered in this paper. The first implementation 
is dedicated to the set theory of the B method [[T]| (or B for short), which is a formal method and 
allows engineers to develop software with high guarantees of confidence. This implementation is 
used by Siemens IC-MOL to automatically verify B proof rules coming from a database which is 
built adding rules from their several projects and applications, such as driverless metro systems for 
instance (see [Ell in for more details). The second implementation is generic and works over any 
first order theory, which allows us to use it to prove problems from the TPTP library in (which is a 
library of test problems for automated theorem proving systems). 

The paper is organized as follows: in Sectionj^ we first introduce the principles of superdeduction; 
we then present, in Section the computation of superdeduction rules from axioms in the framework 
of the tableau method used by Zenon; finally, in Sections and we respectively describe the 
implementation of our extensions of Zenon for the B set theory and for any first order theory, and 
also provide some examples respectively coming from the database of B proof rules maintained by 
Siemens IC-MOL and the TPTP library. 


2 Principles of Superdeduction 

In this section, we present the principles of superdeduction, which is a variant of deduction modulo, 
and which allows us to describe proofs in a more compact format in particular. In addition, we show 
that proofs in superdeduction are not only shorter, but also follow a more natural human reasoning 
scheme, and that custom deduction schemes, such as structural induction over Peano natural numbers 
for example, can be naturally encoded using superdeduction. 


2.1 Deduction Modulo and Superdeduction 

Deduction modulo IITOll focuses on the computational part of a theory, where axioms are transformed 
into rewrite rules, which induces a congruence over propositions, and where reasoning is performed 
modulo this congruence. Superdeduction 0| is a variant of deduction modulo, where axioms are used 
to enrich the deduction system with new deduction rules, which are called superdeduction rules. For 
instance, considering the inclusion in set theory Va, b {a C b ^ \/x {x e a ^ x e b)), the proof of 
A C Ain sequent calculus has the following form: 


...,xeA\-ACA,xEA 


.. \-AC A, xeA^xeA 
\- A AyX {x E A ^ X E A) 


Ax 


VR 


...,AC Ah AC A 


... y X {x E A ^ X E A) ^ A C A\- A C A 
ACA^^x {xeA^xE A) \-ACA 
Va, b {a Cb ^'ix {x E a ^ X Eb))\- AC A 


AL 

VL X 2 


Ax 

=>L 
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In deduction modulo, the axiom of inclusion can be seen as a computation rule and therefore 
replaced by the rewrite rule aCb^\/x{xEa^xGb). The previous proof is then transformed 
as follows: 


X E A\- X E A 


\-xeA^xeA 
h A C y4 


Ax 


VR, A<EA^'ix{xEA^xE A) 


It can be noticed that the proof is much simpler than the one completed using sequent calculus. In 
addition to simplicity, deduction modulo also allows us for unbounded proof size speed-up [|3 . 

Superdeduction proposes to go further than deduction modulo precisely when the considered ax¬ 
iom defines a predicate P with an equivalence 'ix {P ^ ^p). While deduction modulo replaces the 
axiom by a rewrite rule, superdeduction adds to this transformation the decomposition of the connec¬ 
tives occurring in this definition. This corresponds to an extension of Prawitz’s folding and unfolding 
rules [fTTll (called introduction and elimination rules by Prawitz), where the connectives of the defi¬ 
nition are introduced and eliminated. The proposed (right) superdeduction rule is then the following 
(there is also a corresponding left rule): 


T,x E a\- X E b,A 
r h a C 6, A 


IncR, a; ^ r, A 


Hence, proving A C A with this new rule can be performed as follows: 


X E A\- X E A 
h A C A 


Ax 

IncR 


This new proof is not only simpler and shorter than in deduction modulo, but also follows a natural 
human reasoning scheme usually used in mathematics as shown more precisely in the next subsection. 


2.2 Human Reasoning with Superdeduction 

Considering the previous example of inclusion in set theory, we can notice that the superdeduction 
rule is more natural and intuitive than a simple folding rule a la Prawitz. Given two sets A and B, 
if we aim to prove A C R, it seems a little unusual to propose to prove \/x {x E A ^ x E B), 
instead we propose to prove x E B given x s.t. x E A, which amounts to implicitly introducing 
the connectives of the unfolded proposition. This implicit introduction of connectives is precisely 
proposed by the previous superdeduction rule, which can be read as “if any element of a is an element 
of b, then a C 6”. 

Similarly, superdeduction can also be used to naturally encode custom deduction schemes. For ex¬ 
ample, let us consider the structural induction scheme over Peano natural numbers (i.e. non-negative 
integers). This scheme can be defined as follows (i.e. the natural numbers are seen as the set of terms 
verifying the inductive predicate): 

Vn (n e N VP (0 G P ^ Vm {m E P ^ S{m) E P) ^ n E P)) 

In sequent calculus, this scheme can be encoded by the two following (right) superdeduction rules 
(there are also two corresponding left rules): 
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r, 0 e p, H{P) h n e p, A 
r h n e N, A 


IndR, P ^ r, A 


r, m e P h S{m) G P, A 
r h P(P),A 


HeredR, m ^ F, A 


Let us notice that the induction scheme actually requires two superdeduction rules, whose one 
of the rules (the rule HeredR) focuses on the heredity part of the scheme in particular. This focus 
is motivated by the need of avoiding permutability problems (between Skolemization and instanti¬ 
ation), which may occur when computing superdeduction rules. These permutability problems are 
quite common in automated proof search, and appear here since superdeduction systems are in fact 
embedding a part of compiled automated deduction. In [|4l and in order to deal with these permutabil¬ 
ity problems, the authors use a method inspired by focusing techniques in the framework of sequent 
calculus. It is worth noting that these permutability problems are managed in different ways by au¬ 
tomated deduction methods, and in particular, we will therefore not have to use focusing techniques 
when integrating superdeduction to the tableau method in Section 


3 Tableaux with Superdeduction 

In this section, we present the tableau method used by the Zenon automated theorem prover, which 
deals with classical first order logic with equality and a specific support for equivalence relations. 
Once the rules of this method have been described, we show how it is possible to compute superde¬ 
duction rules from axiomatic theories, and how these new rules extend the kernel of rules of Zenon. 

3.1 The Tableau Method 

The proof search rules of Zenon are described in detail in |l3l and summarized in Figure (for the 
sake of simplification, the unfolding and extension rules are omitted), where the “|” symbol is used 
to separate the formulas of two distinct nodes to be created, e is Hilbert’s operator (e(x).P(x) means 
some X that satisfies P{x), and is considered as a term), capital letters are used for metavariables, 
and Rr, Rg, Rt, and Rts are respectively reflexive, symmetric, transitive, and transitive-symmetric 
relations (the corresponding rules also apply to the equality in particular). As hinted by the use of 
Hilbert’s operator, the (5-rules are handled by means of e-terms rather than using Skolemization. What 
we call here metavariables are often named free variables in the tableau-related literature; they are 
not used as variables as they are never substituted. The proof search rules are applied with the normal 
tableau method: starting from the negation of the goal, apply the rules in a top-down fashion to build 
a tree. When all branches are closed (i.e. end with an application of a closure rule), the tree is closed, 
and this closed tree is a proof of the goal. This algorithm is applied in strict depth-first order: we close 
the current branch before starting work on another branch. Moreover, we work in a non-destructive 
way: working on one branch will never change the formulas of another branch. 

3.2 From Axioms to Superdeduction Rules 

As mentioned in Section reasoning modulo a theory in a tableau method using superdeduction 
requires to generate new deduction rules from some axioms of the theory. The axioms which can be 
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Closure and Cut Rules 
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-'P(e(x).-'P(x)) 


7-Rules 


Vx P{x) 


P{X) ^P{X) 

Relational Rules 

P(ti, . . . , fjj) ~'P{^lj • • • ) ^n) 
P 7^ 'Si I • • • \ tn ^ Sn 

Rs{s,t) ^Rsiu,v) 


3x P(x) Vx P(x) 


i3x P(x) 


'(f) ^P(f) 

/(fl, fjsi, . • • ,Sn) 

fl Si I ... \ tfi ^ Sfi 

^Rr{s, t) 


- T-iBinst 


t ^ U \ S ^ V 


Rtis,t) ^Rt{u,v) 


s, ^Rt{u, s) \ t^ V, -^Rt{t, v) 

Rts{s,t) ^Rts{u,v) 

V ^ s, ^Rtsiv, s) \ t^u, ^Rtsit, u) 

s = t ^Rfiu, v) 


transsym 


u / s, ^Rt{u, s) I ^Rtiu, s), ^Rt{t, v) \ t^v, ^Rt{t, v) 
s = t ^Rts{u,v) 

V ^ s,^Rtsiv,s) I ^Rts{v,s),^Rtsit,u) I t / u,^Rtsit,u) 

Figure 1: Proof Search Rules of Zenon 
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considered for superdeduetion are of the form Vx {P ^ tp), where P is atomie. This speeifie form 
of axiom allows us to introduee an orientation of the axiom from P to p), and we introduee the notion 
of proposition rewrite rule (this notion appears in 0, from whieh we borrow the following definition 
and notation): 

Definition 1 (Proposition Rewrite Rule) The notation R : P ^ p) denotes the axiom Vx (P (^), 
where R is the name of the rule, P an atomic proposition, ip a proposition, and x the free variables 
of P and ip. 

It should be noted that P may eontain first order terms and therefore that sueh an axiom is not just 
a definition. For instanee, xe{r/|r/eaA?/G6}—>^xeaAxG6 (where the eomprehension set 
is a first order term) is a proposition rewrite rule. 

Let us now deseribe how the eomputation of superdeduetion rules for Zenon is performed from a 
given proposition rewrite rule. 

Definition 2 (Computation of Superdeduetion Rules) Let S be a set of rules composed by the sub¬ 
set of the proof search rules of Zenon formed of the closure rules, the analytic rules, as well as the 
7 vm <^nd rules. Given a proposition rewrite rule R : P ^ ip, two superdeduetion rules (a 
positive one R and a negative one -^R) are generated in the following way: 

1. To get the positive rule R, initialize the procedure with the formula p. Next, apply the rules of 
S until there is no open leaf anymore on which they can be applied. Then, collect the premises 
and the conclusion, and replace p by P to obtain the positive rule R. 

2. To get the negative rule -iR, initialize the procedure with the formula -^p. Next, apply the 
rules of S until there is no open leaf anymore on which they can be applied. Then, collect the 
premises and the conclusion, and replace -^p by -iP to obtain the negative rule -iR. 

If the rule R(resp. -iP) involves metavariables, an instantiation rule Rmst (resp. -iPmst) is added, 
where one or several metavariables can be instantiated. 


Integrating these new deduetion rules to the proof seareh rules of Zenon is sound as they are 
generated from a subset of rules of Zenon, while eut-free eompleteness eannot be preserved in general 
(i.e. for any theory). In praetiee, soundness ean be ensured by the ability of Zenon of produeing 
proofs for some proof assistants, sueh as Coq and Isabelle, whieh ean be used as proof eheekers. 

Let us illustrate the eomputation of superdeduetion rules from a proposition rewrite rule with the 
example of the set inelusion. 


Example 3 (Set Inclusion) From the definition of the set inclusion, we introduce the proposition 
rewrite rule Inc : a C 6 —)■ Vx (x G a x G 6), and the corresponding superdeduetion rules Inc 
and -line are generated as follows: 


\/x {x E a ^ X E b) 
X E CL X E b Q 
X ^a\X Eb ^ 


TVm 


-iVx {x E a ^ X E b) 
E Cl €x E &) 
Cx E a,ex ^ b 



where Cx = e(x).-i(x E a ^ x E b). 

The resulting superdeduetion rules are then the following: 


aCb 

X ^a\X Eb 


Inc 


aCb 

t ^ a \ t E b 


InCjnst 


a <^b 

Cx E CL, Cx ^ b 


line 
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4 An Implementation for the B Set Theory 

In this section, we describe our first extension of Zenon with superdeduction in the case of the B set 
theory, which is the underlying theory of the B formal method, and where superdeduction rules are 
hard-coded from the initial axiomatic theory. We also propose an example of B proof rule coming 
from the database maintained by Siemens IC-MOL, and that can be verified by this tool producing a 
quite comprehensible proof. 

4.1 Superdeduction Rules for the B Set Theory 

This extension of Zenon for the B set theory is actually motivated by an experiment which is managed 
by Siemens IC-MOL regarding the verification of B proof rules [fT3l[T4l . The B method HI, or B for 
short, allows engineers to develop software with high guarantees of confidence; more precisely it al¬ 
lows them to build correct by design software. B is a formal method based on set theory and theorem 
proving, and which relies on a refinement-based development process. The Atelier B environment [|71 
is a platform that supports B and offers, among other tools, both automated and interactive provers. 
In practice, to ensure the global correctness of formalized applications, the user must discharge proof 
obligations. These proof obligations may be proved automatically, but otherwise, they have to be han¬ 
dled manually either by using the interactive prover, or by adding new proof rules that the automated 
prover can exploit. These new proof rules can be seen as axioms and must be verified by other means, 
otherwise the global correctness may be endangered. 

In [lT3ll . we develop an approach based on the use of Zenon to verify B proof rules. The method 
used in this approach consists in first normalizing the formulas to be proved, in order to obtain first 
order formulas containing only the membership set operator, and then calling Zenon on these new 
formulas. This experiment gives satisfactory results in the sense that it can prove a significant part 
of the rules coming from the database maintained by Siemens IC-MOL (we can deal with about 
1,400 rules, 1,100 of which can be proved automatically, over a total of 5,300 rules). However, this 
approach is not complete (after the normalization, Zenon proves the formulas without any axiom 
of set theory, while some instantiations may require to be normalized), and suffers from efficiency 
issues (due to the preliminary normalization). To deal with these problems, the idea developed in lfT4l 
is to integrate the axioms and constructs of the B set theory into the Zenon proof search method 
by means of superdeduction rules. This integration is concretely achieved thanks to the extension 
mechanism offered by Zenon, which allows us to extend its core of deductive rules to match specific 
requirements. This new tool has emphasized significant speed-ups both in terms of proof time and 
proof size compared to the previous approach (see [IT4l for more details). 

The B method is based on a typed set theory. There are two rule systems: one for demonstrating 
that a formula is well-typed, and one for demonstrating that a formula is a logical consequence of a 
set of axioms. The main aim of the type system is to avoid inconsistent formulas, such as Russell’s 
paradox for example. The B proof system is based on a sequent calculus with equality. Six axiom 
schemes define the basic operators and the extensionality which, in turn, defines the equality of two 
sets. In addition, the other operators (U, fl, etc.) are defined using the previous basic ones. To generate 
the superdeduction rules corresponding to the axioms and constructs, we use the algorithm described 
in Section and we must therefore identify the several proposition rewrite rules. Regarding the 
axioms, they are all of the form Pj Qi, and the associated proposition rewrite rules are therefore 
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Ri Pi ^ Qi, where eaeh axiom is oriented from left to right. For instanee, let us eonsider the 
equality of two sets, whieh is defined by the following axiom: 


a = h4^\/x{xEa4^xEb) 

From this axiom, we ean eompute two superdeduetion rules as follows (a third rule dealing with 
instantiation is also implieitly eomputed sinee one of the generated rules involves metavariables): 


_ a = b _ 

X ^ a,X ^b \ X e a,X e b 


a ^ b 

ex ^ a, Sx ^ b \ ex ^ a, Gx ^ b 




with €x = e{x).—>{x £ a ^ X £ b) 


Coneerning the eonstruets, they are expressed by definitions of the form Ei = Fi, where Ei and 
Fi are expressions, and the eorresponding proposition rewrite rules are i?* : x G —)■ x G F*. 

Let us illustrate the eomputation of superdeduetion rules for eonstruets with the example of domain 
restrietion, whieh is defined in the following way: 


where: 


a <b = id(a); b 


a;b = { (x, z) \ 3y ((x, y) e a A {y, z) e b} 
id(a) = { (x, ?/) I (x, I/) G a X a A X = ?/ } 

The eorresponding superdeduetion rules are eomputed as follows: 

{x,y) E a <\b {x,y) ^ a <b 

{x,y) E b, X E a {x,y) ^ b \ x ^ a 

For further details regarding the eomputation of superdeduetion rules for the B set theory, as well 
as the eorresponding implementation using Zenon, the reader ean refer to llT4l . 

4.2 Verification of a B Proof Rule 

To assess our extension of Zenon for the B set theory using superdeduetion and to show that it 
ean produee proofs eomprehensible enough to reeover the intuition of these proofs, we propose to 
eonsider the example of a B proof rule eoming from the database maintained by Siemens IC-MOL. 
The rule being eonsidered is the rule named “SimplifyRelDorXY.27” (this rule is aetually part of the 
Atelier B set of rules), and whose proof is small enough to be understood easily and deseribed in the 
spaee restrietions for this paper. The definition of this rule is the following: 

0 < a = 0 

When applied to this rule, our extension of Zenon produees the proof of Figure]^ (Zenon pro¬ 
poses several proof formats, and the proof presented in this figure uses the format with the highest 
level of abstraetion). The statement of the rule, i.e. the eommand starting with “fof”, is provided 
using the TPTP syntax [|T^ . and the proof (if found) is displayed after this statement. The proof 
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fof(simplifyRelDorXY_27, conjecture, 

b_eq (b_drest (b_empty, a), b_empty)). 

(* PROOF-FOUND *) 

1. HO: (-. (b_eq {b_drest (b_empty) (a)) (b_empty))) 

### [Extension/b/b_not_eq HO HI H2 H3 H4 H5 H6] --> 2 3 

2. H2: (b_in T_7 {b_empty)) 

### [Extension/b/b_in_empty H2 H8 H9 H7] --> 4 

4. H9: (-. (b_in T_7 {b_BIG))) 

H8: (b_in T_7 {b_BIG)) 

### [Axiom H8 H9] 

3. H3: (b_in T_7 {b_drest (b_empty) (a))) 

### [Extension/b/b_in_drest H3 HIO Hll H12 H7 H6 H13] —> 5 

5. H12: (b_in T_14 (b_empty)) 

### [Extension/b/b_in_empty H12 H15 H16 H14] --> 6 

6. H16: (-. (b_in T_14 (b_BIG))) 

H15: (b_in T_14 (b_BIG)) 

### [Axiom H15 H16] 

Figure 2: Proof of Rule “SimplifyRelDorXY.27” of Atelier B 

consists of several numbered steps, where each of them is a set of formulas together with a proof rule 
which has been applied to the considered proof step. Formulas of a proof step are signed formulas, 
and formulas starting with are negative formulas. A proof rule appears at the end of a proof step 
and after the string “###”, and also provides, after the string the other proof steps to which it is 
connected (these other proof steps represent the result of the application of this proof rule to the set 
of formulas of the considered proof step). For example, in this proof, Step 1 is connected to Steps 2 
and 3. This connection between proof steps provides the proof with a tree-like structure, where proof 
steps with axiomatic rules, i.e. starting with “Axiom”, are leaves, while the other proof steps are 
nodes. Among these other proof steps, there are in particular superdeduction rules, which start with 
“Extension”. In this proof, the B constructs are prefixed by “b_”, and “b_empty”, “b_BIG”, “b_in”, 
“b_eq”, and “b_drest” respectively represent the empty set 0, the set BIG (which is an infinite set, 
mostly only used to build natural numbers in the foundational theory), the membership operator “G”, 
the (extensional) equality “=”, and the domain restriction construct “<”. 

As can be observed, this proof expressed in this format can be easily understood not only thanks 
to the tableau method which follows a natural way to find the proof in this case, but also thanks 
to superdeduction rules which allow us to shorten the proof removing formal details useless for the 
comprehension of the proof. To justify this claim, let us describe the formal proof sketch which can 
be extracted from this formal proof, and which is appropriate to provide the intuition of the proof. 
This formal proof sketch is built as follows: 

1. The proof starts from the sequent “h 0 < a = 0”, which corresponds to Hypothesis HO in Step 1 
in the formal proof (where the initial formula has been negated since the tableau method works 
by refutation). The proof rule applied to this sequent is a superdeduction rule which deals with 
the equality, and which corresponds to the superdeduction rule named “b_not_eq” in the formal 
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proof, i.e. the negation of the equality still because the initial formula has been negated. In 
sequent calculus, this superdeduction rule is the following: 


r,x e a \- X e b, A 
r h a 


r,xeb\-xea,A 


=R, a; ^ r, A 


2. Applying the superdeduction rule for equality, we obtain two cases to prove (as shown by 
the rule above). The formal proof focuses on the right-hand side of the rule at first, and we 
therefore have to prove the sequent “x G 0 h a; G 0 < a”, which corresponds to Step 2. As can 
be seen, in the set of formulas of each proof step, the formal proof only displays the formulas 
which are useful to complete the proof. For instance, in Step 2, the formula “a; G 0 < a” is 
not displayed (even though it is present in the set of formulas), because it is not used in the 
following of the proof. The formal proof therefore focuses on the hypothesis “a; G 0” and 
applies the superdeduction rule named “b_in_empty” and corresponding to the empty set. In B, 
the empty set is defined as follows: 0 = BIG — BIG. In sequent calculus, the corresponding 
superdeduction rule is then computed as follows: 


r,a; G BIG,a; ^BIG h A ^ 
r.xe/hA - 

Once this rule has been applied, we obtain the sequent “a; G BIG, a; ^ BIG h a; G 0 < a”, 
which is proved by reductio ad absurdum and corresponds to Step 4 in the formal proof. 

3. The second case following the application of the superdeduction rule for equality corresponds 
to the sequent “a; G 0 < a h a; G 0”, which appears to be Step 3 in the formal proof. In this 
step, the formal proof focuses on the hypothesis “a; G 0 < a”, and applies the superdeduction 
rule named “b_in_drest” and corresponding to the domain restriction. This superdeduction rule 
is the following in sequent calculus: 


r,a; 


{y,z), {y,z) eb,y e ah A 
r,x e a a b \- A 


<L, y,z A 


Once this rule has been applied, we obtain the sequent “a; = {y, z), {y, z) e a,y e ^ \- x e 0”, 
where the formal proof can again focus on the hypothesis r/ G 0 in Step 5 and close the proof 
as previously in Step 6. 


From this formal proof sketch, it is now quite easy to produce an informal and short proof (as it 
would have been done in a textbook) as follows: 

• To show 0 < a = 0, we have to consider two cases: given a; G 0, we must show a; G 0 < a, and 
given a; G 0 < a, we must show a; G 0; 

1. If a; G 0 then x G BIG and x ^ BIG, which is therefore absurd; 

2. If a; G 0 < a then x = {y, z), {y, z) G a, and r/ G 0, which is absurd as previously. 
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5 A Generic Implementation for First Order Theories 

In this section, we present our second extension of Zenon with superdeduction, which is able to deal 
with any first order theory. In this extension, the theory is analyzed to determine the axioms which can 
be turned into superdeduction rules, and these superdeduction rules are automatically computed on 
the fly to enrich the deductive kernel of Zenon. We also describe the proofs of two examples coming 
from the TPTP library and produced by this tool, and which are quite comprehensible as well. 

5.1 From Theories to Superdeduction Systems 

This extension of Zenon is actually a generalization of the previous one dedicated to the B set the¬ 
ory, where superdeduction rules are henceforth automatically computed on the fly. In the previous 
extension, superdeduction rules are hard-coded since the B set theory is a higher order theory due to 
one of the axioms of the theory (the comprehension scheme), and we have to deal with this axiom 
specifically in the implementation of Zenon. Even though some techniques exist to handle higher 
order theories as first order theories (like the theory of classes, for example), a hard-coding of these 
theories may be preferred as these techniques unfortunately tend to increase the entropy of the proof 
search. In addition, in the previous extension, some of the superdeduction rules must be manually 
generated as they must be shrewdly tuned (ordering the several branches of the rules, for instance) 
to make the tool efficient. The new extension of Zenon dealing with any first order theory has been 
developed as a tool called Super Zenon [fTSll . where each theory is analyzed to determine the axioms 
which are candidates to be turned into superdeduction rules. As said in Section]^ axioms of the form 
Va: (P -v^ (^), where P is atomic, can be transformed, but we can actually deal with more axioms. 
Here is the exhaustive list of axioms that can be handled, as well as the corresponding superdeduction 
rules that can be generated (in the following, P and P' are atomic, and cp is an arbitrary formula): 

• Axiom of the form \/x {P ^ cp): we consider the proposition rewrite rule R : P ^ cp, and the 
two superdeduction rules R and -iP are generated; 

• Axiom of the form Vx (P ^ P'): we consider the proposition rewrite rules P : P —P' and 
R' : -iP' —)■ -iP, and only the superdeduction rules P and P' are generated; 

• Axiom of the form Vx (P ^ ip): we consider the proposition rewrite rule R : P ^ p, and 
only the superdeduction rule P is generated; 

• Axiom of the form Vx {p ^ P): we consider the proposition rewrite rule P : -iP —)■ -^p, and 
only the superdeduction rule P is generated; 

• Axiom of the form Vx P: we consider the proposition rewrite rule P : -iP —)■ ±, and only the 
superdeduction rule P is generated. 

The axioms of the theory, which are not of these forms, are left as regular axioms. An axiom, 
which is of one of these forms, is also left as a regular axiom if the conclusion of one of the generated 
superdeduction rules (i.e. the top formula of one of these rules) unifies with the conclusion of an 
already computed superdeduction rule (in this case, the theory is actually non-deterministic and we 
try to minimize this source of non-determinism by dividing these incriminated axioms among the sets 
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of superdeduction rules and regular axioms). An axiom, which is of one of these forms, is still left as 
a regular axiom if P is an equality (as we do not want to interfere with the specific management of 
equality by the kernel of Zenon). Finally, it should be noted that for axioms of the form Vx (P ^ P'), 
we also consider the proposition rewrite rule which corresponds to the converse of the initial formula; 
this actually allows us to keep cut-free completeness in this particular case. 


5.2 Proof of a Logic Puzzle 

As the Super Zenon tool is able to deal with any first order theory, it can be used in many contexts, 
and in particular, it can be applied to all the first order problems of the TPTP library ifT^ (about 
6,600 problems), which is a library of test problems for automated theorem proving systems. To 
assess the effectiveness of this tool and to show that it can also produce comprehensible proofs, let 
us consider an example of the puzzle category of TPTP and called “Crime in Beautiful Washington” 
(Puzzle #132), which is a problem in the same vein as the “Who Killed Aunt Agatha?” well-known 
puzzle. This kind of problems is quite appropriate for educational purposes when teaching artificial 
intelligence and logic for example. The problem being considered consists of the following axioms: 


Vx (capital(x) ^ city(x)) 
capital (Washington) 
country (usa) 

Vx (country(x) capital(capital_city(x))) 
Vx (city(x) ^ has_crime(x)) 
capital_city(usa) = Washington 
Vx (country(x) beautiful(capital_city(x))) 


{capital _city_type) 
{washington_type) 
{usa_type) 

{country _capital_type) 

{crime_axiom) 

{usa_capital_axiom) 

(beautiful _capital_axiom) 


As can be observed, all the axioms can be turned into superdeduction rules, except the axiom 
{usa_capital_axiom) since it is an equality, and the axiom {beautiful_capital_axiom) since one 
of the generated superdeduction rules for this axiom overlap with one of the superdeduction rules 
computed previously for the axiom {country_capital_type). 

The conjecture to be proved is expressed as follows: 


beautiful (Washington) A has_crime(washington) 

When applied to this specification. Super Zenon produces the proof of Figurej^for the previous 
conjecture (we still use the proof format with the highest level of abstraction). As in the example of 
verification of a B proof rule in Section Q it is possible to build quite directly the following informal 
proof sketch from this formal proof: 

• To show beautiful(washington) A has_crime(Washington), we have to consider the two cases 
beautiful (Washington) and has_crime( Washington); 

1. To show beautiful (Washington), we apply the axiom {beautiful _capital_axiom) instan¬ 
tiated with usa, and we have to consider two cases: we must show country (usa), and 
given beautiful (capitaLcity (usa), we must show beautiful (Washington); 

(a) To show country(usa), we use the axiom {usa_type); 
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fof ( 

rfashington_conjecture, conjecture, 

(beautiful (Washington) & has_crime (Washington))). 

(* PROOF-FOUND *) 

1 

. HO: 

(-. ((beautiful (Washington)) /\ (has_crime (Washington)))) 


HI: 

((capital_city (usa)) = (Washington)) 


H2 : 

(All X, ( (country X) => (beautiful (capital_city X)))) 


### 

[NotAnd HO] —> 2 3 

2 

. H3: 

(-. (beautiful (Washington))) 


### 

[All H2] —> 4 

4 

. H4 : 

((country (usa)) => (beautiful (capital_city (usa)))) 


### 

[Imply H4] --> 5 6 

5 

. H5: 

(-. (country (usa))) 


### 

[Extension/szen/usa_type H5] 

6 

. H6: 

(beautiful (capital_city (usa))) 


### 

[P-NotP H6 H3] —> 7 

7 

. H7 : 

((capital_city (usa)) != (Washington)) 


### 

[Axiom HI H7] 

3 

. H8: 

(-. (has_crime (Washington))) 


### 

[Extension/szen/crime_axiom H8 H9 HIO] —> 8 

8 

. H9: 

(-. (city (Washington))) 


### 

[Extension/szen/capital_city_type H9 Hll HIO] —> 9 

9 

. Hll 

(-. (capital (Washington))) 


### 

[Extension/szen/washington_type Hll] 


Figure 3: Proof of Puzzle #132 of TPTP 


(b) Given beautiful(capital_city(Msa), to show beautiful(washington), it is enough to 
show capital_city(usa) = Washington using the axiom {usa_capital_axiom). 

2. To show has_crime(Washington), we apply the axiom {crime_axiom), and we must show 
city (Washington); 

- To show city (Washington), we apply the axiom {capital _city_type), and we must 
show capital(washington); 

- To show capital (Washington), we use the axiom {washington_type). 


5.3 Proof of a Geometry Problem 

As a second example of proof, we consider a problem coming from the geometry category of the 
TPTP library. This problem (Problem #170-1-3) states that if two distinct points are incident with a 
line, then this line is equivalent with the connecting line of these points. The interest of such an 
example is actually twofold. First, the corresponding proof is larger (but remains reasonably large 
to be presented in this paper) than for the previous considered examples, which tends to show that 
our approach is effective even when the proofs require more than 20 steps. Second, the subject of 
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geometry is quite fundamental in the high sehool eurrieulum in the sense that it is generally the only 
mathematical topic where proofs are explicitly mentioned and where formal reasoning is actually 
considered. The axioms considered in this example are the axioms of constructive geometry, but 
Super Zenon uses classical logic and constructive geometry plus classical logic is equivalent to 
textbook theories. The proof of this example uses the following axioms of this theory (we use the 
names given in the TPTP files): 


Vx, ?/ (distinct_points(x, r/) -iapart_point_and_line(x,line_connecting(x, y))) [cil) 

Wx,y (distinct_points(x, r/) -iapart_point_and_line(r/, line_connecting(x, y))) {ci2) 

Vx, y, u, V (distinct_points(x, y) A distinct_lines(w, v) 

apart_point_and_line(x, m) V apart_point_and_line(x, x) V 
apart_point_and_line(r/, u) V apart_point_and_line(r/, v)) {cul ) 

\/x,y (equal_lines(x, r/) -idistinct_lines(x, r/)) {ax2) 

\/x,y (incident_point_and_line(x,I/) AA -'apart_point_and_line(x,r/)) {a4) 

where distinct_points(x, y) (resp. distinct_lines(x, y)) means that x and y are two distinct points 
(resp. lines), incident_point_and_line(x, y) (resp. apart_point_and_line(x, y)) means that the point 
X is (resp. is not) incident with the line y, equal_lines(x, y) means that x and y denote the same line, 
and line_connecting(x, y) denotes the line connecting the points x and y. 

Among these axioms, the axioms {ci2), {ax2), and {a4) are turned into superdeduction rules. 
The axiom {cil ) is left as an axiom because one of its superdeduction rules overlap with one of the 
superdeduction rules computed previously for the axiom {ci2). The axiom (cul) is also left as an 
axiom because it has not the right form to be turned into superdeduction rules. It should be noted 
that for the axiom {ax2), a superdeduction rule corresponding to the converse of this axiom is also 
generated since both sides of the implication are atomic. 

The conjecture given previously is formally expressed as follows: 

Vx, y, z (distinct_points(x, y) A incident_point_and_line(x, z) A 

incident_point_and_line(?/, z) ^ equal_lines(^, line_connecting(x, y))) 

When applied to this problem. Super Zenon is able to produce the proof of Figures]^ and(we 
use the same proof format than for the previous examples), where the preliminary Skolemization steps 
are compressed (Steps 2 and 3 are left implicit). From this proof, it is possible to build the following 
informal proof sketch as previously: 

• Given the points x, y, and the line 2 ; s.t. distinct_points(x, y), incident_point_and_line(x, z), 
and incident_point_and_line(j/, z), we have to show equal_lines( 2 ;, line_connecting(x, y)); 

• From the hypotheses incident_point_and_line(x, z) and incident_point_and_line(?/, z), we 
have -'apart_point_and_line(x, z) and -iapart_point_and_line(j/, z) using the axiom {a4)', 

• Using the axiom {ax2), the goal equal_lines( 2 ;, line_connecting(x, y)) to be proved is equiva¬ 
lent to -idistinct_lines(z, line_connecting(x, y)); 

• Using the axiom {cul ) with x, y, z, and line_connecting(x, y), we have to show the previous 
goal in the following cases: 
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fof(geometry_conjecture, conjecture, 

{! [X, Y, Z] : { (distinct_points (X, Y) & 

incident_point_and_line {X, Z) & 
incident_point_and_line (Y, Z)) => 
equal_lines (Z, line_connecting(X, Y))))). 

(* PROOF-FOUND *) 

1. HO: (-. (All X, (All Y, (All Z, ({(distinct_points X Y) /\ 

({incident_point_and_line X Z) /\ 

(incident_point_and_line Y Z))) => 

(equal_lines Z (line_connecting X Y))))))) 

HI: (All X, (All Y, ((distinct_points X Y) => 

(-. (apart_point_and_line X (line_connecting X Y) ) ) ) ) ) 

H2 : (All X, (All Y, (All U, (All V, { ( (distinct_points X Y) /\ 
(distinct_lines U V)) => ((apart_point_and_line X U) \/ 

({apart_point_and_line XV) \/ 

({apart_point_and_line YU) \/ 

(apart_point_and_line Y V))))))))) 

### [NotAllEx HO] —> [...] 4 

4. H7: (incident_point_and_line T_4 T_8) 

H9: (-. (equal_lines T_8 (line_connecting T_4 T_6))) 

HIO: (distinct_points T_4 T_6) 

Hll: (incident_point_and_line T_6 T_8) 

### [Extension/szen/a4 H7 H12 H4 H8] --> 5 

5. H12: (-. (apart_point_and_line T_4 T_8)) 

### [Extension/szen/a4 Hll H13 H6 H8] —> 6 

6. H13: (-. (apart_point_and_line T_6 T_8)) 

### [Extension/szen/not_ax2 H9 H14 H8 H15] —> 7 

7. H14: (distinct_lines T_8 {line_connecting T_4 T_6)) 

### [All H2] —> 8 

8. H16: (All Y, (All U, (All V, (((distinct_points T_4 Y) /\ 

{distinct_lines U V)) => ((apart_point_and_line T_4 U) \/ 
{(apart_point_and_line T_4 V) \/ 

((apart_point_and_line Y U) \/ 

(apart_point_and_line Y V)))))))) 

### [All H16] —> 9 

9. H17: (All U, (All V, ({(distinct_points T_4 T_6) /\ 

(distinct_lines U V)) => ((apart_point_and_line T_4 U) \/ 
{(apart_point_and_line T_4 V) \/ 

((apart_point_and_line T_6 U) \/ 

{apart_point_and_line T_6 V))))))) 

### [All H17] —> 10 

Figure 4: Proof of Geometry Problem #170-1-3 of TPTP (Part 1) 
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10. H18: (All V, ({(distinct_points T_4 T_6) /\ 

{distinct_lines T_8 V)) => 

{(apart_point_and_line T_4 T_8) \/ 

{(apart_point_and_line T_4 V) \/ 

{(apart_point_and_line T_6 T_8) \/ 

{apart_point_and_line T_6 V)))))) 

### [All H18] —> 11 

11. H19: (({distinct_points T_4 T_6) /\ 

{distinct_lines T_8 (line_connecting T_4 T_6))) => 

{(apart_point_and_line T_4 T_8) \/ 

{(apart_point_and_line T_4 (line_connecting T_4 T_6)) \/ 

{(apart_point_and_line T_6 T_8) \/ 

{apart_point_and_line T_6 {line_connecting T_4 T_6)))))) 
### [DisjTree H19] —> 12 13 14 15 16 17 

12. H20: (-. (distinct_points T_4 T_6)) 

### [Axiom HIO H20] 

13. H21: (-. (distinct_lines T_8 {line_connecting T_4 T_6))) 

### [Axiom H14 H21] 

14. H22: (apart_point_and_line T_4 T_8) 

### [Axiom H22 H12] 

15. H23: (apart_point_and_line T_4 (line_connecting T_4 T_6)) 

### [All HI] —> 18 

18. H24: (All Y, ({distinct_points T_4 Y) => 

{-. {apart_point_and_line T_4 (line_connecting T_4 Y))))) 

### [All H24] —> 19 

19. H25: ((distinct_points T_4 T_6) => 

{-. {apart_point_and_line T_4 (line_connecting T_4 T_6)))) 

### [Imply H25] —> 20 21 

20. H20: (-. (distinct_points T_4 T_6)) 

### [Axiom HIO H20] 

21. H26: (-. (apart_point_and_line T_4 (line_connecting T_4 T_6))) 

### [Axiom H23 H26] 

16. H27: (apart_point_and_line T_6 T_8) 

### [Axiom H27 H13] 

17. H28: (apart_point_and_line T_6 (line_connecting T_4 T_6)) 

### [Extension/szen/ci2ctrp H28 H20 H4 H6] —> 22 

22. H20: (-. (distinct_points T_4 T_6)) 

### [Axiom HIO H20] 


Figure 5: Proof of Geometry Problem #170-1-3 of TPTP (Part 2) 
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1. Given -idistinct_points(a;, y), we have also distinct_points(a:, y) in hypothesis, whieh is 
therefore absurd; 

2. Given -'distinct_lines( 2 ;, line_connecting(a;, t/)), it is exaetly the goal to be proved, whieh 
is then proved direetly by hypothesis; 

3. Given apart_point_and_line(a;, 2 ;), we have also -'apart_point_and_line(a;, 2 ;) in hy¬ 
pothesis, whieh is therefore absurd; 

4. Given apart_point_and_line(a;, line_connecting(a;, y)), we use the axiom {cil ) with x, 
y, and distinct_points(a;, y), to have -'apart_point_and_line(a;, line_connecting(a;, y)), 
whieh is therefore absurd; 

5. Given apart_point_and_line(t/, z), we have also -'apart_point_and_line(t/, z) in hy¬ 
pothesis, whieh is therefore absurd; 

6. Given apart_point_and_line(t/, line_connecting(a;, y)) used with the eonverse of the ax¬ 
iom {ci2) with X and y, we have -idistinct_points(a;, y), whieh is therefore absurd as we 
have also distinct_points(a:, y) in hypothesis. 


6 Conclusion 

In this paper, we have proposed an automated deduetion method whieh allows us to produee proofs 
elose to the human intuition and praetiee. This method is based on tableaux and uses the prineiples of 
superdeduetion, among whieh the theory is used to enrieh the deduetion system with new deduetion 
rules, ealled superdeduetion rules. We have presented two implementations of this method, whieh 
eonsist of extensions of the Zen on automated theorem proven The first implementation is a version 
dedieated to the B set theory, where the superdeduetion rules are hard-eoded from the initial axiomatie 
theory. The seeond implementation is a generie version able to deal with any first order theory, where 
the theory is analyzed to determine the axioms whieh ean be turned into superdeduetion rules, and 
where these superdeduetion rules are automatieally eomputed on the fly to enrieh the deduetive kernel 
of Zenon. For information, these two implementations are available as free software at IfTSl . We have 
also provided some examples of problems, whieh ean be handled by these tools and whieh eome from 
different theories, sueh as the B set theory or theories of the TPTP library (in the puzzle and geometry 
eategories, in partieular). In these examples, we have shown that both tools are able to produee formal 
proofs eomprehensible enough to reeover the intuition of these proofs, and that the user ean therefore 
easily extraet informal proof sketehes from these proofs. 

As future work, it would be interesting to improve the readability of the produeed proofs in order 
to get more natural proofs and in partieular, it might be desirable to turn proofs into pure direet 
proofs (searehing for a proof of the initial formula), rather than refutational proofs (searehing to 
invalidate the negation of the initial formula). In a way, this eorresponds to get baek to Gentzen’s 
initial purely proof theoretieal motivation when trying to find proofs in the eut-free version of sequent 
ealeulus, and in partieular, this is opposed to Hintikka and Beth’s semantie view of tableaux, whieh 
eonsists of a proeedure systematieally trying to find a eounter example for a given formula (i.e. a 
model in whieh its negation is true). Sueh an improvement evokes some similar initiatives in other 
automated theorem provers, sueh as Muscadet [fT^ . whieh is based on natural deduetion and whieh 
uses methods resembling those used by humans. 
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To increase the readability of the proofs generated by our extensions, it would also be interesting to 
export these proofs to other kinds of languages, whieh appear more appropriate regarding readability. 
In particular, we eould export the proofs to deelarative proof languages, sueh as Isar [l22l for Isabelle, 
whieh tends to bridge the semantic gap between internal notions of proof given by state-of-the-art 
interaetive theorem proving systems and an appropriate level of abstraetion for user-level work. This 
translation should be automatie, and to be more effeetive, it should also be probably eombined with an 
interactive layer over the automated deduetion tool (see below) in order to produee intelligible proofs, 
i.e. proofs where a certain number of cuts can be manually introduced. We eould even go further and 
automatically produce proofs in natural languages using, for example, the ideas of [[8l, where Coq 
formal proofs are translated in a pseudo natural language. 

Finally, in this paper, our extensions only produee proofs automatieally without any interaction 
with the user. In an educational setting, a system able to present sample proofs is already a valuable 
bonus, but the students must also be involved in the proeess of building proofs. To do so, the idea is 
to implement an interaetive layer over our extensions in the spirit of [|2T]I . whieh will aim to offer the 
user the possibility to guide the proof seareh. This interaetive layer would be a benefit for both the 
user and the automated deduction tool. For the user, this layer eould make the interface with the proof 
engine, whieh eould propose a set of applieable rules or next-step hints. For the automated deduetion 
tool, this layer could be used to find proofs with the help of the user, who could propose to focus on 
some branehes of the proof seareh, whieh would allow the tool to find a proof, while the strategy of 
the tool would have focused on inappropriate branches resulting in an endless proof seareh. 
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